Protecting key infrastructure in the age of cyber attacks

Any country needs a stable power supply. But the interlinked and online nature of the systems that run the energy sector and the infrastructure it feeds means it and all it touches are vulnerable to operational failure and cyber attack – with obvious and serious consequences.

For that reason, researchers at the Masdar Institute are examining the vulnerabilities of the energy infrastructure and the wider critical infrastructure relating to its online systems, to try to limit the potential for such attacks and failures.

The biggest vulnerabilities are in the control processes; the hardware and software components that combine to regulate traffic, environment, processes and instrumentation.

That is because these control systems are the junction between the physical systems – a valve or a switch, for example – and the wired world that gives those systems their instructions. If the wrong instruction gets to the valve, the consequences can be disastrous.

In power plants in particular, there are three major areas of susceptibility: architecture, security policy, and software. When failures, malfunctions, hacks, or power cuts occur in any of these areas, they can have cascading effects across not only a national sector but also an entire region.

When the power sector is affected, so too are commercial and residential buildings, transport and industry. Recent history illustrates this only too well. In November 2006, a German electricity operator made a planned and routine disconnection. The results were catastrophic. Because the grid’s operator had failed to take countermeasures to reduce flow on the grid, the power cut spread across Europe.

About 15 million homes were in the dark for hours, more than 100 trains were disrupted, subways had to be evacuated and losses in sales and spoiled products in the dining industry were as high as US$139 million (Dh510.4m).

Sometimes the causes are less benign. In 2003, the safety monitoring system of the Davis-Besse nuclear power plant in Ohio, America, became disabled after a private computer network was infected with the Slammer internet worm, leaving the nuclear plant without a system to check if it was operating safely.

The plant’s operators were lucky – there was no environmental catastrophe. But the dangers of system failure in a nuclear plant are known all too well – with the irradiated Chernobyl disaster site serving to this day as an example of how badly things can go wrong when automated safety mechanisms are disabled by human error or otherwise.

A global response is needed. International and domestic cyber security policies and strategies need to include clear cyber terrorism legislations at national and international levels. States, companies, or individuals must be held accountable and liable for any sort of cyber attacks.

We need better crime-prevention strategies, a regional response to meet common needs and threats and greater collaboration with international organisations such as the United Nations, Interpol, and other regional security initiatives.

To grow as planned, the UAE is expanding critical infrastructure in its cities and, in some cases, it is developing new cities, such as Masdar, along with its associated infrastructure.

Moreover, the UAE is relying on the development of its information and communication technology potential to achieve a vision of “smart cities” in Abu Dhabi and Dubai.

These smart systems will be based on “e-governments”, where the data of government entities, operational networks and the country’s critical infrastructure are linked in real time.

To achieve all this, the UAE’s critical infrastructure will need to be safe from cyber attacks. The Government is well aware of this challenge and has initiated efforts in Abu Dhabi and Dubai to develop a strategy – and technical capacity – for cyber security.

We hope our research at the Masdar Institute will complement those of existing government entities, to help the UAE and other forward-thinking governments have a better understanding of the link between sustainable development and protecting critical infrastructure against system failure and cyber attacks.

It should eventually result in better system security, stronger fail-safe procedures, and new policy to tackle cyber security on a company, country and regional level.

That would contribute to enhanced security and prosperity for not just the UAE, but all people.